JPS5840778B2 - transaction terminal device - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention includes a transaction execution device, and more particularly, a central database in communication with a remote terminal device, and a central database in communication with any one of a plurality of collaborating institutions. The present invention relates to a transaction execution device that enables the execution of transactions, such as cash payments or transfers of funds between accounts, in response to a machine readable identification card issued by a company.

Various systems have been developed for public convenience and economy to carry out transactions requested by users.

An example of this is a check cashing machine. The machine reads the data from the inserted check and, if the check is valid, pays out cash equal to the amount of the check.

Other systems using credit cards have also been developed.

A credit card system uses central data
The base stores credit card information.

In response to submission of an account number from a remote terminal, the system provides information regarding the account.

For example, the system can indicate that the card is expired, stolen, or has a balance.

After the transaction is completed, the system properly adjusts the storage information to balance the transaction.

Another example of a credit card system, often used by banks to extend their operations during busy hours or after hours, is a system that allows cash to be paid or deposits to be received through a terminal device. I have to.

Typically, such terminal devices include a mechanism for accepting credit cards and reading information therefrom, a keyboard,
It includes a display device and a paper leaf inlet/outlet hole.

A terminal device can operate in conjunction with a database or as a stand-alone device.

Providing each credit card with a personal ID (identification) number increases the security of cash payments without human intervention.

At this time, credit card transactions can only be performed when the ID number corresponding to the account number read from the credit card is input from the keyboard.

This required responsiveness ensures that a thief, or someone who simply finds the credit card, will not be able to receive cash from the terminal.

When the terminal works with a database, the correspondence between account number and ID number can be chosen at random, but often the ID number is allowed to be derived from the account number according to a predetermined code.

In this case, in order to allow the ID number to be randomly selected by the customer, a numerical value (offset) is recorded together with the account number on the card.

This shift value is chosen such that when added to or otherwise combined with the number derived from the account number according to the predetermined sign, the result is a randomly selected ID number.

This predetermined relationship between the ID number and the card's account (and shift) data allows a single terminal device to verify the ID number by algorithmically relating the ID number to the account number.

When credit cards issued by multiple cooperating banks are made available for use on a given terminal device, all these banks use the same code or algorithm, or the same code or algorithm is used to derive the ID number from the account data. It must be possible to identify algorithmic relationships in the form of other examples, etc.

One such system provides the same pseudo-random number table for each terminal device.

The random number table is semi-randomly addressed, first by the institution's identifier and then by a logical combination of the output of the table and the digits of the account number.

In this system, cards issued by various banks can be used, but the people at each bank have a clue on their terminal device to the algorithms used by all the other banks, and if they know the bank identifier code. , the ID number can be easily reproduced.

Other systems provide key-driven algorithms to determine the relationship between ID numbers and account numbers.

This system uses linear and non-linear operations to combine account numbers and key numbers to generate test numbers that are compared to ID numbers.

This system is described in US Pat. No. 3,956,615.

However, in order for cards issued by different banks to be usable on the same terminal, all banks must use the same key number, and the account number must be in the same field on all cards.

In one improved version of the system in this U.S. patent, a cryptographic key table is prepared in each terminal device, and the table contains a code for generating a check number to be compared with the ID code sent from the keyboard. Input the necessary keys for use in the key-action algorithm for multiple cooperating banks, along with data identifying the account used, the shift, and the location of that data on the card's data track. .

However, this system is subject to storage constraints on the size of such tables, and each terminal can only operate with cards issued by a few selected cooperating institutions.

Additionally, the system cannot handle cards with the same institution ID and card status but different formats, such as occurs when a bank changes its issuing card standards between two different formats. Can not.

A credit card and ID number verification system that operates with keys derived from tables improves the security of each cash payment terminal and allows multiple banks to collaborate in accepting cards issued by other banks. However, there is a weakness in which large sums of money that are stored in the terminal device or in cooperating bank accounts and that can be transferred between funds through the operation of the terminal device can be stolen.

One critical issue is the security ratio of cryptographic algorithms in terminal devices that can operate standalone or can also operate online.

Today, a large number of operators or maintenance personnel are required to operate cash dispensing terminals.

For example, one or two people at each branch of a bank may have internal access to the cash dispensing terminal.

These personnel often also have access to cryptographic keys for routine maintenance.

Or, alternatively, with little training.
Such personnel may learn how to obtain the key by measuring electrical signals in internal circuits.

Once the encryption key is obtained and the algorithm is known,
It is possible to create correspondences between a large number of account numbers and ID numbers.

In that case, if the format of the card and the location of the verification data and displacement data on the card are known, the correspondence ratio between the card data and a randomly selected ID number can be ascertained.

Another security issue may arise from transmitting account and ID information between the terminal device and the host's database.

Such transmissions often use public communication lines, and as a result there is a risk that they will be monitored by a large number of people.

Encryption is often used to improve the security of communications, but those who can see through this code or who have access to it can monitor this transmission and receive credit. It will be possible to derive the correspondence between card account information and ID numbers and compile the list.

Furthermore, by generating fake terminal equipment traffic,
There is a risk that an attacker could contact the host's database and fraudulently transfer funds in the database's account.

The transaction execution device of the present invention includes a host data processing device having a database of stored information for a number of accounts and a plurality of transaction terminals.

Each terminal maintains a table of cryptographic keys and card format information for multiple card issuers, allowing the issuer to be read from the identification card presented to the terminal by an individual seeking permission to conduct a transaction. In response to the ID, search the table for this terminal.

If the issuer ID is not found in the terminal table, the host similarly searches the master table when the terminal communicates the card data to the host.

The items in the master table for the issuer are used for transactions.
The terminal can be contacted by the host and then removed from the terminal's list.

The host can examine the consumer's information file and instruct the terminal to save the card, stop the transaction, or take other actions as indicated by this information.

Additionally, the local host may contact another remote host to populate the local host's database with consumer information in anticipation of transaction requests from the terminal.

The encryption key is stored in encrypted form in both the host and terminal tables, and is doubly encrypted during communication.

The cryptographic key and card format table are made accessible in response to card track status determined by the terminal's card reader.

Referring to FIG. 1, the present invention is an apparatus for permitting a plurality of individuals to operate an automatic bank terminal, etc. using personal identification cards issued by a plurality of banks or other card issuing institutions. I will provide a.

Each terminal device receives the data read from the identification card,
Financial institution table (FIT) containing cryptographic keys used to verify correspondence between data submitted by an individual using a keyboard
It is equipped with

By allowing the terminal to contact the master FIT located in the host CPU when the terminal is presented with a card issued by an institution that does not have an entry in the terminal's FIT, the FIT is effectively The scale is unlimited.

The terminal device 1 is, for example, one of a plurality of geographically distributed automatic bank terminals (ATMs) in an exchange system.

In such systems, multiple banks agree to accept ATM cards issued by other banks as their own.

An individual wishing to conduct a banking transaction at an ATMI inserts a magnetically encoded card into a card reader 2 and enters his or her personal identification number (PIN) from a keyboard 3.

The account number 4 or other specific valid authorization data read from the card is converted into a number by the cryptographic logic circuit 5;
This number is checked in comparator 6 whether it corresponds to PIN7.

Upon satisfying this and/or other tests, the individual is permitted to proceed with the desired transaction.

Each bank, when issuing identification cards and PINs to its customers, uses 1. 2・・・・・・・・・
・Use km.

A PIN key is, for example, a multiple bit number used by cryptographic logic in deriving a corresponding PIN from an account number.

FIT8 has a set of PIN keys like this kljk2...
・・・・・・kn (for n banks or different formats)
is stored.

The FIT is searched for or otherwise invoked by the bank identification field 9 read by the card reader 2 along with the selection of the default state, as will be explained in more detail below.
2 is a table within the address space of a terminal storage device;

When the master FITIO for all banks or types is managed by the host CPU 11 and the terminal FIT 8 does not have an entry corresponding to the bank ID 9 read from the ID card of the individual requesting permission to complete the transaction, the terminal device 1 calls its master FIT.

The host 11 verifies that the bank ID 9 corresponds to that of the transaction member, and notifies the terminal device 1 of the FITlo item.

Terminal 1 can store this information at location N for use in current and future transactions.

Host 11 is an IBM computer for the IBM 3600 financial system.
It may be a general purpose computer such as a 3601 communications controller or an IBM System/370, or any combination of hosts and subhosts, as will be discussed in more detail below.

As will be discussed later, FIT tables 8 and 10 may contain even more information, thus giving each bank M the flexibility to define not only its own PIN key, but also card format, authorization, and transaction parameters. be able to.

Referring to FIG. 2, the transaction terminal of the present invention is an improvement on the device described in U.S. Pat. No. 3,956,615.

Figure 2 of this US patent is reproduced as Figure 2 of this application for ease of reference.

For a detailed explanation of FIG. 2, see U.S. Pat.
Please refer to No. 15.

Although the form in which the transaction terminal device 1 is implemented is not important for putting this invention into practice, a preferred embodiment is the second embodiment.
As shown in the figure.

Terminal 1 is generally modular and includes a programmable microprocessor 60 coupled by an information bus 62 to a plurality of subsystems of the terminal.

A microprocessor 60 is driven by a clock signal from a clock generator 64 and includes electrically modifiable immediate access memory (RAM) and read-only storage (R).
O8) is operatively connected to a data storage module 66 having both functions.

A read-only storage portion of data storage 66 stores various operating programs for microprocessor 60.

The immediate access storage portion of data storage module 66 provides a scratchpad for program execution, keys, and storage of FIT tables 10.

See U.S. Pat. No. 3,956,615 for operational characteristics of processor support device 68, mechanical control device 70, user communication device 72, cash dispensing device 74, operator function device 76, and communication device 78.

The transaction authorization device of the present invention may require six communication messages between the terminal device and the host during the execution of a user's transaction request.

These will be explained with reference to FIGS. 3 to 5 as follows.

VFIT Trade Request VFIT Reply VFIT Status Trade Request Response Status Trade Request, Reply and Status Messages
56615, but with modifications in this invention.

The VFIT message is substantially the same as the three messages listed later, but is used when the transaction terminal device 1 has to contact the host 11 to obtain a FIT item.

The transaction execution device of the present invention is compatible with the American Bankers Association and/or the Slit Industry Association's two-magnetic stripe identification card format and the track proposed by the International Standards Organization (ISO). 3. It is designed to fit the magnetic card format.

The particular cryptographic algorithm that determines the correspondence between ID numbers and credit card information is not important to the practice of this invention, other than that this correspondence must be dependent on the cryptographic key. .

The cryptographic algorithm described in U.S. Pat. No. 3,956,615 is called Lucifer, and the device of this invention is
Issue (Monday, March 17, 1975) Nat 1
onal Bureau of Standards
Encryption A] gorithnfor
"Computer Data Protection"
(hereinafter referred to as DBS).

Transaction Request Message The present invention adds the following enhancements to the transaction request message described in US Pat. No. 3,956,615.

This message is sent to T-3 and T-2 along with normal transaction information sent to the host/subhost for transaction processing.
Transmit card data.

The message flag byte and PIN item byte are
Added to flag special conditions detected by the terminal.

T-2 and T-3 represent two separate data tracks on the magnetic stripe of the identification card that can be read by the card reader 2.

Either or both of T-2 and T-3 data may be transmitted in a transaction request.

The data map fields that describe which T-3 fields to transmit as well as which areas to send information are located in the issuer's PIN table entry.

The transaction request message includes the following data:

Message heading LL - N representing the length of the message, including the L field - C representing the transaction sequence number - Variable field (VAR) representing the class/subclass of the message (trade request/regular or VFIT transaction) Each withdrawal Total rollover hole counter for requests.

or Transaction Sequence Number Consumer PIN PIN submitted by the consumer or customer Account holder field determined by the consumer's keyboard entry Account holder field determined by the consumer's keyboard entry Special transaction number field Amount field Bill mixed field T-2 Card data message flag bit OT-2 is good.

IT-3 is good.

2 PIN retry count limit reached.

3 Failed to cancel PIN retry.

If you do not submit the correct PIN, this bit An incomplete transaction request is sent by setting Ru.

4. Switch irregularity, which indicates that the card may be stuck, if the irregularity of the switch is detected while the ID card is resting on the back side of the transport part of the card reader.

5 PIN unchecked flag.

Set any time the terminal device does not verify the PIN. It will be done.

6 Two-track card indicating that both tracks 2 and 3 are detected on the ID card.

PIN Retries Indicates the number of attempts the customer made to submit a correct PIN before reaching the limit allowed.

T-3 Data Map Shows which T-3 flairds are being sent in the T-3 card data field.

This is a copy of the T-3 data map found in the PIN table entry for this transaction's ID card.

T-3 Card Data T-3 card data is transmitted when it is successfully read and an entry in the PIN table indicates that it should be sent.

All or some fields of track information may be transmitted as indicated by the PIN table entry σ and three data maps.

VFIT Transaction Request Message This special transaction request subclass (message heading - byte C above) is used when the virtual PIN table item institution selection right is selected (when initializing the terminal device in initial program insertion, ■PL). , the terminal device connects the host/subhost to the virtual PI
You can request N table items.

This option specifies whether requests for virtual PIN items can be made, and specifies the amount of data to be sent for each selected track (T2, T3).

The host/subhost can respond by sending the appropriate PIN table entry.

The VFIT Trade Request message includes the following fields:

Message Header Transaction Sequence Number Message Flags T-2 Data T-3 Data The Message Header and Message Flags fields are specified as described above for trade request messages.

Transaction Reply Message The Transaction Reply Message allows the host/subhost to send T3 data for writing to the card, along with action, display, and statement printer data.

This message has the following fields:

Message Heading Counter Rollover Hole Counter Total Value Actions This byte specifies the actions to be taken by the terminal, including:

0 Display a predetermined user message.

1 Display the user message in the display data field.

2 Print the statement.

3 The time to remove the card has expired.

4. Permit transactions.

5. Own a credit card.

6. Request user confirmation.

7 Write T-3 data.

quantity 1 Number of bills to be paid from hopper #l.

Zero for a terminal device with one hopper.

Quantity 2 Number of bills to be paid (terminal device with one hopper) or number of bills to be paid from money hopper #2.

Display Data Contains the message data to be displayed, if present.

This message may be either a predetermined message number or a special message body.

Statement Data The data to be printed on the transaction statement, if present, i.e. the number of the predetermined message and/or the actual message.

T-3 Data Length T-3 Data Map T-3 Data VFIT Transaction Response Message This special transaction response message transmits the PIN table entries when requested by the terminal.

If the host/subhost is unable to supply a PIN item, the FIT transaction response will have a PIN item field of zero.

Otherwise, unless bit 6 of the action byte is set to 1, the supplied PIN item remains in the terminal's memory until a new item is received.

The PIN item is encrypted into communication key C or key B.

This message has the following fields:

The message header counter rollover hole counter total is stored on the terminal and stored in the host application program.

motion O Display a predetermined user message.

1 Display the user message in the display data field.

4 Enter the PIN item in the message.

5. Own a credit card.

6. Purge the PIN item after processing.

Counter 1 Counter 2 Display Data PIN Item Status Message/VFIT Status Message A status message is transmitted from the terminal device to the host in response to a transaction response message, indicating the processing result of the data received in the response message.

Definitions of various status bits associated with the preferred embodiment of the present invention relate to irregularities in the processing of transactions as well as errors in responding to virtual PIN items.

Selected fields included in the status message are:

message heading transaction sequence number Counter 1 data length field Counter 2 status data 0 T-3 writing failure 1 Irregular ratio of switch 2. Error in virtual PIN table item.

This bit is set if:

(1) When the requested item does not match the returned item based on the issuer ID comparison and card type. (2) When the returned item is too long. (3) PIN length. (4) when the length of the returned item has a value of zero; or (5) when the item has an invalid field position specification. 3. Error Referring now to FIG. 3, an individual wishing to conduct a transaction at terminal 1 inserts a magnetically encoded credit card into card reader 2.

The data read from the card is stored in a data storage device 66 and utilized by the microprocessor 60 to search the local FIT 8, valid authorization data 12, PIN
The shift data 13 used to create the inspection number 15 and the data to be placed in the transaction request message 16 for transmission to the host 11 by the communication device 78 are provided.

At an appropriate time during the processing of this transaction, the individual
N7 is commanded to be sent from the keyboard 3, and is compared with PIN check number 15 by the comparator 6 in the microprocessor 60.

After the consumer card is correctly inserted into the card reader 2,
The terminal device 1 receives the ID of the card issuing institution read from the card so that information related to the transaction can be found and the next step of verifying the PIN submitted by the consumer can be carried out. Try to find the PIN table (FIT) item for.

Track processing, performed by card reader 2 in conjunction with microprocessor 60, reads the credit card and determines whether it can be processed based on track status.

When a consumer inserts a card into card reader 2, the tracks are read and, if necessary, read again to determine the track status for each track.

The condition may be good, bad or undetectable.

If at least one track is in good condition, the card is considered usable.

Each unique issuer of the exchange system supplies a PIN key that is used to validate the PIN and to encrypt the PIN.

Such a PIN key is provided by a member institution of the exchange as an entry in a unique PIN table 8 that is transmitted from the host 11 to the terminal device 1 during initialization (IPL).

Alternatively, these items may be maintained in the host's FITlo (Figure 4) for virtual PIN processing.

The steps taken by microprocessor 6 in searching for a local FIT 8 are shown in FIG.

The same steps can be taken by host 11 in response to a request for VPIN processing.

Searching the PIN table 8, 10 is an attempt to find an entry in the PIN table corresponding to the card inserted by the consumer, if the card is capable of being processed.

The PIN table search algorithm uses the issuer identifier (II) as a search argument and the credit card track status as a qualifier.

The search argument can include up to 20 consecutive digits, including the card format ID, industry ID1 standard issuer ID, and the consumer's primary account number, according to the ISO draft T3 format.

The FLT items are shown in Figure 6 and will be explained later.
Let's explore this as follows.

If the item type specified in the PIN table or FIT does not match the card type (for example, T-2 is good and T-
3 is not detected on the credit card, but the PIN table entry is only T-3, T-2 or T-3 independent or T-2/
If the combination is T-3), the item in the PIN table is skipped.

If the card type matches the type of item in the PIN table, the PIN
The table entry definitions are used to locate the card data to compare with the issuer ID in the PIN table entry.

If they do not match, the same process is repeated for the next PIN table entry.

If there is a match, the search ends and the definition of that item in PIN table 8 is used to process the remainder of the consumer's transaction.

If no normal entry is found for this card type and no selection of virtual PIN table entries has been specified, the search ends at the last entry in the PIN table 8.

If a match is not found, the credit card is returned to the consumer.

Ordinary (i.e. corresponding) item is not found in FIT8,
If the right to select the virtual PIN table is specified for the terminal device 1, the microprocessor 60 assembles a VFIT transaction request message 1T and transmits it to the host 11.

The host 11 searches the host's FITIO, assembles a VFIT reply message 18 that corresponds to item 19 of the FIT table, and causes the terminal device 1 to store it in the FIT 8 or other area of the data storage device 60.

For this reason, before requesting the host/subhost 11 for the VPIN table items, it is checked whether the VPIN items stored internally from the previous VPIN request match the current ID card.

If the item is not found in the host's FITI O, that fact is indicated by bit 4 of the action byte in the FIT Transaction Reply message.

After an item in the PIN table 8 corresponding to the consumer's credit card data is found, the item is inspected to determine whether the terminal device 1 or the host 11 should perform the PIN validation.

If the host 11 has determined that the PIN is valid, the track status is checked, but the terminal device 1 no longer processes the PIN.

Indicates that the track status is a bad track, and the PI
The item on the N table is "Eliminate cards with bad tracks"
Upon identification, the transaction is stopped, the card is returned to the consumer, and an appropriate message is displayed.

Card does not have bad track or PIN
If the table entry specifies ``process cards with bad tracks,'' processing of the PIN proceeds.

In cryptographic algorithm 20, the encrypted PIN key from PIN table 8 is decrypted using a key person to generate a PIN key for use in encryption step 5, which will be described later.

PIN inspection or valid certification data 12 and shift data 1
3 may be located anywhere on either track T-2 or T-3.

If the PIN validation of the terminal device is specified by an item in the PIN table, its location is described by the item in the PIN table.

The PIN processing by the terminal device 1 includes a master key (card data, data from the FIT item selected for the card, and keyboard data submitted by the consumer).

Master key is master key loading command, host 1
1 to the terminal device 1.

If the master key loading command is not executed, the A key sent from the operator/CE panel 76 is used as the master key.

The valid authorization data 12 may be the consumer's account number or any number that the financial institution desires to use to identify the consumer.

The shift data is optional and the PIN submitted by the consumer
and can be selected so that valid certification data can be independently specified.

The following parameters in the FIT entry define the length, displacement, and padding specifications for the card data, the decimal table, and the cryptographic keys needed to perform the PIN check.

- The incoming LDISP determines the displacement of the valid authorization data field from the first card digit of the card data.

VALLEN defines the number of digits contained in the valid qualification data field.

The VALP entry defines the digits used to pad the valid certification data if the number of digits is less than 16.

0FFDISP defines the displacement of the field of offset data from the first data digit of card data.

C[LEN is a parameter that specifies the number of digits to include in the staggered data field, the number of digits to check in the customer-submitted PIN, and the minimum number of digits allowed in the customer-submitted PIN.

DECTAB transmits encrypted valid certification data to 10
This is a table of progressive digits.

EPINKEY is an encrypted PIN key (encrypted with a master key) used to encrypt valid authorization data.

The following data is sent from keyboard 3.

The PIN is a personal identification number input by the customer using the keyboard 3.

PIN length is the number of digits in the PIN submitted by the customer.

Next, referring to FIG. 3, the terminal device 1 performs the PIN check disconnected from the host as follows.
Determine the valid authorization data 12 from the card by determining the length using EN.

2. If VALLEN, which represents the number of digits in the valid qualification data field, is less than 16, then VALPA
Using the digits specified by D, in a padding step 21, the valid certification data 12 is padded on the right side of the 16 digits to create padded valid certification data 22.

3. Obtain the PIN key using either of the following two methods.

If an EPINKEY (or FIT key) parameter is specified in an entry in the FIT table, the master key is used to decrypt the EPINKEY value.

If no EPINKEY parameter is specified in the FIT table entry, the master key is used as the PIN key.

4. Using the PIN key, encrypt the compensatory valid certification data 22 using the cryptographic algorithm 5 to create encrypted valid certification data 23.

5. Use DECTAB to encrypt valid certification data 23
is converted into a decimal digit using decimal evolution routine 24,
Create IO evolution valid certification data 25.

Each hexadecimal digit of encrypted validation data 23 is replaced with a decimal digit from DECTAB.

The decimal digit selected is the digit whose displacement (0-15) in DECTAB corresponds to the value of the hexadecimal digit (0-F) to be replaced in the validation data 23.

q, use 0FFDISP to find the location, and CHK
By determining the length using LEN, shift data 13 is obtained from the card.

If 0FFDISP=255(X'F11v),
Use all zero digits for shift data.

7. In block 26, the shifted data 13 is aligned with the decimal evolution valid certification data 25, and the leftmost digit of the shifted data 13 is at 0 or more digit positions than the leftmost digit of the decimal evolution valid certification data. so that it is displaced to the right.

The number of digit positions for this displacement is Ca from the PIN length.
It is determined by subtracting LEN.

8. Add digit 13 of the shifted data to digit 25 of the matching decimal evolution valid certification data in base 10 for each digit.

The result is PIN check number 15.

9. Using the comparator 6, compare the PIN check number 15 with the digits of the PIN 7 sent by the customer, digit by digit from the right side.

For the comparison to hold, all digits of the PIN check number 15 must be the same as the corresponding digits of the customer-submitted PIN 7.

If the customer-submitted PIN length is greater than CHKLEN, then the leftmost (first submitted) digit of the customer-submitted PIN 7 is not checked.

These extra digits can be any value.

If comparison 6 is true, terminal device 1 proceeds with the transaction by assembling the data and encrypting a portion of it into transaction request message 16 to host 11 .

If comparison 6 does not hold, the terminal device 1 allows the customer zero or more attempts, as determined by the trial configuration parameters.

The terminal device 1 can return the card and stop the transaction without sending any message to the host 11.

Alternatively, the terminal 1 sends an invalid PIN transaction request message to the host 11 and waits for a transaction response that instructs the terminal 1 to return or retain the card and possibly display the message to the customer. .

FIG. 4 shows a host/subhost when processing a VFII request 17 from the terminal device 1.

■Decode the FIT transaction request message 17 according to the procedure explained in FIG. 4 of the above-mentioned US Pat. No. 3,956,615.

As previously described for searching the local FIT table 8 (and according to the procedure shown in FIG. 8), the attached data processing device 11 searches for the sub-host FIT using the track status and issuer identification code, or C to locate the corresponding FIT item 19 in order to encrypt it with the cryptographic algorithm 28.

The encryption algorithm 28 is Federal Regis
ter, Volume 40, No. 52 (March 17, 1975 (
Data Encrypt described in Monday issue)
tion 5and-ards (DES) of
the National Bureau of 5
According to the standards, it can be implemented as an application program executed by an attached data processing device 11 or by a digital hardware logic device.

Using the customer account identification data supplied as track data from the D card during the VFIT transaction request message 17, the attached data processing device 11 can search its customer data file 29 and store it therein. Based on the information provided, the terminal device 1 can be commanded to retain the card, stop the transaction, or approve the transaction through the action bit in the FIT response message 18.

Similarly, the adjunct data processing device can place display data into the VFIT reply message 18 from the display message file 30.

Additionally, cryptographic algorithm 28 encrypts portion 31 of VFIT reply message 28.

If there is no display data due to arbitrary selection, this result FIT
A portion of item 19 may be double encrypted.

The PIN key stored in FIT table 10 is the master
Since it has already been encrypted using a key, this could result in FIT item 19 being triple-encrypted using two different keys.

The auxiliary data processing device 11 can also be connected to the subject data processing device 27 .

This may be a central host of the bank, a central host for all members of the exchange system, or a host or subhost of another member of the exchange system that can be contacted by the subhost 11 via a suitable exchange communication link. .

The attached data processing device 11 becomes a means for communicating the FIT response message 18 to the terminal device 1, including the corresponding items in the FIT 10 for the institution ID and truck status obtained from the VFIT transaction request message 17.

In parallel with the data processing within the terminal device 1 that generates the transaction request message, the sub-host 11 processes the data in the subject data processing device 1.
7 to populate the customer data file 29 in anticipation of receiving a transaction request from the terminal device 1 for the individual identified in the data previously communicated in the VFII solicitation message. , the consumer file can be requested.

For this purpose, the attached data processing device 11 manages the customer data file for the cards it has issued, or stores the transaction data for its own customers in order to process them later in another account file. Data file 29
Just assemble it into .

After this, when the subbost 11 receives a transaction request message from the terminal device 1, all the data necessary to process this request may be present from the beginning or the host 2
7, it can be used from the file 29.

As another embodiment of the invention, the terminal FIT 8 contains entries only for the various formats of the bank that owns or otherwise controls the terminal 1, and all FIT entries for cooperating banks controlled by the entity FITIO. items can be stored, thus increasing the security of the system with respect to invocations of the FIT 8 by bank employees or others.

The FIT item for a predetermined bank may be stored in the terminal device 1 while one transaction is executed, and then deleted.

As a further embodiment of the invention, a bank may change the basis of its issued cards from one format to another.

During this change, it is common for cards with the same institution ID and track status to be associated with two different formats.

The terminal device 1, which does not have the ability to inspect other data on the encoded track, cannot make this distinction.

In this case, the issuing bank may request subhost 11 to provide its FI
In order for the terminal device 1 to manage only the T items and process all transactions requested by the customer to the issuer, the VF
It is possible to request that all ITl&request messages be sent.

In the sub-host 11, an application program is provided to examine all parts or other constituent parts of the data read from the field identifying the format of the card, so that the sub-host 11, when the transaction is completed, Appropriate FIT with command to expel it from storage
Enable items to be supplied to the terminal device 1.

Therefore, as can be seen from the above description, the terminal device 1 can be connected to a host 11 which may itself be a sub-host connected to another remote host 27, thus ensuring data security. In addition, FIT table 8
By distributing customer account files such as 10 and file 29 to multiple locations, processing and storage efficiency can be achieved.

By entering the account data from the host 27 into the data file 29 while replying to the terminal device 1 with the VFITM response message 18, the host 11 can more quickly respond to anticipated transaction requests from the terminal device 1. can respond to.

The host 11 is, for example, an IBM 3601 controller or an IBM
It may be a System 370 data processing device.

Host 27 may be an IBM system 370.

The host 11 is called a subhost when connected to a remote host 27, and is called a host at other times.

In either case, the terms host and subhost are
When used as an interface for the terminal device 1, they are used interchangeably.

Next, referring to FIG. 6, the items of the PIN table will be explained.

There are basically three types of items in the PIN table. T-2 (T-
2 only or T-2 independent), T-3 (T-3 only or T-2
3 independent) and T-2/T-3 combination.

Items can appear in any order in the table.

Items of different types have the same publisher ID, but T-2 and T-3 independent are mutually exclusive with the combination T-2/T-3.

In addition to these item types, common PIN table items can be specified.

Common items, if specified, are located at the end of the PIN table and are
Used for credit cards for which no matching item in the IN table was found.

Items in the PIN table are consumer IDs other than the issuer ID location.
Contains all information necessary for verification.

The location of the issuer ID is obtained from the configuration image provided to the terminal device 1 by the host 11 before any transaction.

Each card type with backing (T-2゜T-3, T
-2/T-3), another sub-item is required in the FIT table 8°10.

Next, fields 41-49 of common portion 40 will be described.

Length of common part item 41 Length of all PIN items including this byte Issuer PIN
Length 43 Maximum PIN length that the issuer will accept.

The minimum acceptable value is 4.

PIN Check Length 44 The number of digits in a PIN that is recognized as valid by the terminal device.

If it is zero, the PIN will not be verified.

Issuer PIN Pad/Test Pad Digits 45 Bits 0-3 are padding digits used by the terminal device if the PIN submitted by the consumer is less than 16 digits.

For DBS encryption, the PIN sent by the consumer is padded to the right to make it 16 digits.

Bits 4-7 are padding digits used when the issuer supplied PIN verification data is less than 16 digits, and are padded to the right of the PIN verification data from the card to provide 16 digits for DBS encryption.

PIN key 46 A key provided by the issuer that is used for PIN encryption and validation of the PIN.

The PIN key is encrypted with the master key.

Decimal conversion table 47 A table provided by the issuer used to validate a PIN.

Encrypting credit card PIN verification data generates 16 hexadecimal digits, which can be divided into 1
It must be converted to a 0-decimal digit.

Each hexadecimal digit is replaced by a decimal digit whose position within this table (0-15) corresponds to the value of the hexadecimal digit being replaced (0-F).

Once the conversion has been performed, a shift value is added to the conversion result, if necessary, and a comparison is then made between the calculated PIN and the consumer's PIN.

Publisher ID length 48 Length in bytes of the ID field.

Issuer ID 49 This contains the issuer ID used to select the PIN table entry.

The entire issuer ID field being X/FP represents a common PIN expression item.

This must be the last entry in the PIN table.

Next, fields 51-54 of only T-2 and T-2
The independent field 50 will be explained.

PIN shift and PIN check position 51 Bit O-3 is the number of field separator for PIN shift T-2, bits 4-7 are PIN check data
Number of field separators for 2.

Issuer PIN Shift Displacement 52 Displacement from the field separator value specified in field 10 of the PIN entry to the PIN shift on track.

If this field is X' F F', no shift is used.

Issuer PIN Verification Data Displacement 53 Displacement from the value of the field separator specified in field 51 of the PIN entry to the PIN verification data on the card.

It is used as a standard for correlation with the PIN submitted by the customer.

Issuer PIN check data length 54 Length of PIN test data written on the card.

If it is shorter than 16 digits, padding digits are added on the right by the terminal, resulting in an 8-byte field for DES encryption.

Next, fields 91-97 of T-3 only part and T-3
Independent field 90 will be explained.

PIN shift and PIN check position 91 Bits 0-3 are PIN shift, number of field separators up to T-3.

Bits 4-7 are the PIN check τ-data, the number of field separators up to T-3.

Issuer PIN shift displacement 92 Displacement from the field separator value specified in field 91 of the PIN entry to the PIN shift on the track.

If this field is X'FF', no shift is used.

Issuer PIN Verification Data Displacement 93 Displacement from the value of the field separator specified in field 91 of the PIN entry to the PIN verification data on the card.

It is used as a standard for correlation with the PIN submitted by the customer.

Issuer PIN check data length 94 Length of PIN test data written on the card.

If it is shorter than 16 digits, padding digits are added on the right by the terminal, resulting in an 8-byte field for DES encryption.

T-3PIN retry position 95 Bit O-3 is open.

Bits 4-7 are the number of field separators up to the field on the card containing the T3PIN retry count.

T-3 PIN Retry Displacement 96 Displacement of T-3 retry count within a field on the card.

T-3 Data Map 97 Indicates which fields within T-3 are sent in a trade request message.

Next, field 101-1 of T-2/T-3 portion 100
07 will be explained.

PIN shift and PIN check position 101) O-3
is the PIN on the track specified in field 102.
Number of field separators to shift.

Bits 4-7 are the number of field separators to the PIN verification data on the track specified in field 103.

Issuer PIN shift displacement 102 Bit O is the position of the PIN shift track.

Bits 1-7 are the PIN on the track from the field separator value specified in field 101 of the PIN entry.
Displacement up to shift.

If this field is XIFFv, no shift is used.

Displacement 103 of issuer PIN inspection data Bit O is the track position of the PIN inspection data.

Bits 1-7 determine the PIN on the card from the field separator value specified in field 101 of the PIN entry.
Displacement to inspection data.

This will be used as a standard for correlation with the PIN submitted by the consumer.

Issuer PIN check data length 104 Length of PIN test data written on the card.

If it is less than 16 digits, padding digits are added on the right by the terminal to make it an 8-byte field for DES encryption.

T-3PIN Retry 105 Number of field separators up to the field on the card with the T-3PIN retry count.

T-3PIN retry displacement 106 T-3 retry displacement within the field on the card.

If this field is X'FF', the retry count is used at the consumer's option.

T-3 Data Map 107 Indicates which fields within T-3 are sent in a trade request message.

7A and 7B illustrate the operation of the best mode of implementing the transaction execution apparatus of the present invention.

The customer ID card is read at 110 and, depending on the truck status as well as the issuer's identification code, a search is made in the local FIT table at 111 for the corresponding FIT entry.

If the FIT item is found in 112, transaction data will be retrieved from the card as well as from what was submitted via the keyboard at 113.
and create a transaction request message for communication 114 to the host.

At the host, the customer account file is examined and a transaction response message is sent back to the terminal at 115 containing instructions regarding further execution of the transaction.

The terminal executes the instructions and sends a status message 116 back to the host informing the host what action has been taken so that the customer account file can be updated appropriately.

The FIT item corresponding to the customer ID card data is local F
If the IT search fails, the terminal device collects data necessary for a VFIT transaction request message to the host at 117.

This VPIN data collection procedure is shown in the flowchart of FIG.

This Figure 9 shows selection 130133 of T-2 and T-3 data in response to control 128 previously provided by the host that selected the VPIN.

The terminal device notifies the host of a VFIT transaction request at 118, and the host receives the encrypted VFIT transaction request from the file.
Assemble a transaction response 119 with FIT items.

The terminal device recognizes the VFIT item as valid at 120,
121 VFIT status message indicating that the VFIT item matches the request or has been otherwise accepted.
Contact the host at

VFI to stop holding the card and/or transactions.
If not instructed in the Tjl'ff return message, the terminal proceeds to collect transaction data and fulfill the request.

When instructed to do so in the VFIT trade response message, when the transaction execution is complete, the terminal device retrieves the VFIT items received from the host from its local FIT table.
Exile at ゜123.

The transaction execution terminal device and transaction execution device of the present invention provide financial institution customers with self-service capabilities.

By using this terminal device, many banking functions can be carried out 24 hours a day without the help of bank staff.

A magnetic stripe card encoded with identification data is issued by a financial institution to a customer, which the customer uses to initiate a transaction at a terminal device.

The customer's identity is verified by a personal identification number (PIN).

The customer enters this number through the terminal's keyboard.

Sensitive data, including identification data, is encrypted to maintain its security.

Encryption and subsequent decryption are performed using a cryptographic algorithm and the financial institution's private cryptographic key.

The cryptographic algorithm of the device is the previously mentioned The Nat
DataEncryption of ionalBureau of 5standards
The algorithm proposed as (DES) can be selected.

The terminal device can be used in exchange format.

That is, card holders from multiple participating card issuers can use the same terminal device.

A table of data used in processing a customer's transaction is maintained on the terminal, and entries for a number of cooperating card issuers are retrieved by the institution identifier read from the customer's card.

If no matching item is found by searching the table, a request message is sent to the host to request matching items from the master table managed by the host.

After you use an item in the master table on a terminal device, you can banish it.

In this way, the security of the system can be increased.

The host's (or subhost's) consumer file is the host's (or subhost's) consumer file for handling transaction requests from terminal devices.
can contain consumer files.

[Brief explanation of drawings]

Fig. 1 is a functional block diagram showing the transaction execution device of the present invention, Fig. 2 is a functional block diagram of a transaction terminal device used in the transaction execution device shown in Fig. 1, and Fig. 3 is a functional block diagram showing the transaction execution device of the present invention. FIG. 4 is an operational block diagram showing how a transaction request is initially processed by the transaction terminal device; FIG. 4 is a functional block diagram of an attached/remote subject data processing device used in the transaction execution device shown in FIG. 1; FIG. 1 is a functional block diagram of a transaction execution device illustrating communication messages exchanged between a transaction terminal and a host or sub-host data processing device during the course of a typical transaction. FIG. 6 is a functional block diagram of a financial institution table stored in the host/subhost data processing device and transaction terminal; FIGS. 7A and 7B are operational flow charts illustrating the steps performed by the transaction terminal in accordance with the present invention; 8th
The figure is an operation flowchart of the FIT search process in Figure 7.
It also shows the steps taken in searching the financial institution table for the subhost of FIG. FIG. 9 is an operational flowchart of the VPIN data collection process of FIG. 7. 2...Card reader, 5...Encryption device, 8...
Financial institution table, 11... host, 78... communication device.

Claims (1)

[Scope of Claims] 1. In a transaction terminal device connectable to a host and for accepting transactions, storage means for storing a plurality of control blocks unique to an issuer, each containing a cryptographic key; , whether there is a card reading means for reading encoded data comprising issuer identification data and card verification data on an identification card presented by the individual at the terminal device; and whether there is a corresponding control block responsive to said issuer identification data. means for searching said storage means; and communicating said encoded data to said host when a corresponding control block is not found in said storage means, and receiving a corresponding control block from said host for writing to said storage means. and means for encrypting the card verification data to generate a card verification number in response to cryptographic key data from the corresponding control block.